-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
null pointer dereference vulnerability in Segment() #22
Comments
Thanks for the bug report but unfortunately I am unable to reproduce the segfault you've described. I tested against Intel 64 bit and 32 bit on both Clang and GCC all release builds, and in all cases we got the expected output:
Could you please confirm you've tested against the latest release (3.11), and if so, tell me what platform (OS, CPU) and the commit hash of the source used to generate your build of graphite. In addition could you confirm that your build passes Thank you |
Hi tim, The issue can be reproduced stably on my ubuntu linux box. Segfault on the latest(3.11):
I also tried the master branch code and it gets segfault in the same way
make test shows that all tests passed:
Hope the following information can help you to reproduce the issue: Build Commands:
OS Release:
Uname Output:
GCC version:
|
have you lost the letter 'f' in the file extension? |
You are right, I mistyped the font file name, and I can now reproduce the bug. |
This bug is to do with the gr_face_dumbRendering flag that gr2fonttest sets if you enable -cache. If a font has no silf table and dumbRendering is enabled, it is supposed to carry on and do basic dumb rendering. But it is clear that this has never worked and that therefore nobody is asking for it. The fix, therefore is to deprecate the flag and make it ineffective. Harfbuzz does a much better job of dumb rendering than we would ever do. Fixed in db132b4 |
The segcache has been removed, thus -cache is no longer valid. Please retest without -cache and reopen this bug if there is still a problem. |
Hi. I tried to reproduce this in Debian wheezy version(1.3.10) with given POC. Unfortunately I am unable to reproduce. Is it affected from 1.3.11? ( though code base is not much different ) |
0x01 Description
A null pointer dereference vulnerability was found in Segment.cpp, which may allow attackers to cause a denial of service or possibly have unspecified other impact via a crafted font type file.
0x02 How to reproduce
The issue can be reproduced by the following command:
0x03 Cause Analyze
The program failed to verify pointer m_silf in Segment():
poc-libgraphite2-segment-null-pointer-dereference.zip
0x04 Author
Ziqiang Gu from WeiRan Labs
The text was updated successfully, but these errors were encountered: